Service IAM Roles in Production Accounts
Veeam Backup for AWS launches worker instances in production accounts to perform the following operations:
- To index EFS file systems.
- [Applies if enabled in the backup policy or restore settings] To create EC2 image-level backups and to perform restore from EC2 image-level backups.
To launch worker instances in production accounts, Veeam Backup for AWS uses permissions of backup IAM roles and restore IAM roles. However, the backup and restore IAM roles cannot be used to automatically create IAM roles that will be attached to the launched worker instances for communication with Veeam Backup for AWS. That is why you must create worker IAM roles manually in the AWS Management Console as described in section Appendix A. Creating IAM Roles in AWS, and assign them permissions listed in section Indexing Worker IAM Role Permissions or Backup and Restore Worker IAM Role Permissions.
Since you do not specify an IAM role for file-level restore operations, the role that you specify when enabling worker deployment in production accounts in the restore settings is also used by Veeam Backup for AWS to launch worker instances. That is why this role must be assigned permissions listed in section FLR Worker IAM Role Permissions.
By default, Veeam Backup for AWS automatically chooses the most appropriate network settings of AWS Regions in production accounts to launch worker instances when performing EFS indexing operations, and the default network settings of AWS Regions to launch worker instances when performing EC2 backup and restore operations. However, you can add worker configurations to specify network settings for each region in which worker instances will be deployed. When creating new worker configurations, Veeam Backup for AWS uses permissions of worker configuration IAM roles to list network settings available in AWS Regions of production AWS accounts. That is why if you add specific worker configurations that will be used to launch worker instances in production accounts, consider that IAM roles specified in the worker configuration settings must be granted the following permissions: